Potential Invoke-Mimikatz PowerShell Script

This detection identifies PowerShell scripts containing Invoke-Mimikatz or Mimikatz commands, which are commonly used to extract sensitive information such as credentials, password stores, and certificates. The detection focuses on in-memory credential access, requiring thorough investigation and reconstruction of script context to assess the impact. The rule is designed to detect potential credential access attempts by identifying specific keywords and command patterns associated with Mimikatz usage within PowerShell script blocks. Defenders should prioritize investigations triggered by this rule due to the potential for significant compromise. The Elastic detection rule was last updated on 2026/04/24.

Attack Chain

1. An attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.
2. The attacker executes a PowerShell script, either directly or through a payload.
3. The PowerShell script contains obfuscated or encoded Mimikatz commands.
4. The script leverages techniques to bypass AMSI (Anti-Malware Scan Interface) to avoid detection.
5. The script utilizes Invoke-Mimikatz or direct Mimikatz commands to dump credentials from memory (LSASS process).
6. The attacker extracts password hashes, plaintext passwords, and Kerberos tickets.
7. The attacker uses the stolen credentials to move laterally within the network.
8. The final objective is to gain access to sensitive data or critical systems, leading to data exfiltration or further compromise.

Impact

Successful exploitation can result in the compromise of user accounts, including privileged accounts. This can lead to lateral movement within the network, access to sensitive data, and potential data exfiltration. Credential dumping via Mimikatz is a common technique used in many attacks, often leading to widespread damage and significant financial loss. The rule’s high risk score of 99 reflects the severe potential impact of this activity.

Recommendation

• Enable PowerShell Script Block Logging to capture the necessary events (4104) for this detection, as specified in the setup instructions.
• Deploy the Sigma rule below to your SIEM and tune it for your environment to detect potential Mimikatz usage within PowerShell scripts.
• Investigate any alerts generated by this rule by reconstructing the full PowerShell script block using powershell.file.script_block_id, powershell.sequence, and powershell.total as described in the rule’s notes.
• Monitor for file creation events following the detection to identify potential credential dumps, archives, or exported certificates as highlighted in the rule’s notes.